Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

pam_roles(5)          Standards, Environments, and Macros         pam_roles(5)

       pam_roles - Solaris Roles account management module


       The  pam_roles  module  implements  pam_sm_acct_mgmt(3PAM). It provides
       functionality to verify that a user is authorized to assume a role.  It
       also  prevents  direct  logins  to a role. The user_attr(4) database is
       used to determine which users can assume which roles.

       The PAM items PAM_USER and    PAM_RUSER are used to determine the  out-
       come  of  this module. PAM_USER represents the new identity being veri-
       fied. PAM_RUSER, if set, represents the user asserting a new  identity.
       If  PAM_RUSER  is  not  set,  the  real  user ID of the calling service
       implies that the user is asserting a new identity. Notice that root can
       never have roles.

       This module is generally stacked above the pam_unix_account(5) module.

       The following options are interpreted:

       debug           Provides   syslog(3C)   debugging  information  at  the
                       LOG_DEBUG level.

       The following values are returned:

       PAM_IGNORE              If the type of the new user identity (PAM_USER)
                               is  "normal".  Or,  if the type of the new user
                               identity is "role" and the user  asserting  the
                               new  identity  (PAM_RUSER) has the new identity
                                  name in its list or roles.

       PAM_USER_UNKNOWN        No account is present for user.

       PAM_PERM_DENIED         If the type of the new user identity (PAM_USER)
                               is  "role" and the user asserting the new iden-
                               tity (PAM_RUSER) does not have the new identity
                               name in its list of roles.

       Example 1: Using the pam_roles.so.1 module

       Here  are  sample entries from pam.conf(4) demonstrating the use of the
       pam_roles.so.1 module:

       cron account required pam_unix_account.so.1
       other account requisite pam_roles.so.1
       other account required pam_unix_account.so.1

       The cron service does not invoke pam_roles.so.1. Delayed jobs are inde-
       pendent of role assumption. All other services verify that roles cannot
       directly login. The "su" service (covered by the "other" service entry)
       verifies that if the new user is a role, the calling user is authorized
       for that role.

       See attributes(5) for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions

       roles(1),   su(1M),   libpam(3LIB),   pam(3PAM),   pam_acct_mgmt(3PAM),
       pam_setcred(3PAM),   pam_set_item(3PAM),  pam_sm_acct_mgmt(3PAM),  sys-
       log(3C),   pam.conf(4),    user_attr(4),    attributes(5),    pam_auth-
       tok_check(5),  pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
       pam_passwd_auth(5),       pam_unix_account(5),        pam_unix_auth(5),

       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       This module should never be stacked alone. It  never  returns  PAM_SUC-
       CESS, as it never makes a positive decision.

SunOS 5.10                        9 Mar 2004                      pam_roles(5)